Total
14188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-18263 | 1 Php-cms Project | 1 Php-cms | 2021-11-05 | 5.0 MEDIUM | 7.5 HIGH |
| PHP-CMS v1.0 was discovered to contain a SQL injection vulnerability in the component search.php via the search parameter. This vulnerability allows attackers to access sensitive database information. | |||||
| CVE-2020-24000 | 1 Eyoucms | 1 Eyoucms | 2021-11-04 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in eyoucms cms v1.4.7, allows attackers to execute arbitrary code and disclose sensitive information, via the tid parameter to index.php. | |||||
| CVE-2020-12013 | 2 Iconics, Mitsubishielectric | 11 Bizviz, Energy Analytix, Facility Analytix and 8 more | 2021-11-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior. | |||||
| CVE-2021-36184 | 1 Fortinet | 1 Fortiwlm | 2021-11-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| A improper neutralization of Special Elements used in an SQL Command ('SQL Injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to disclosure device, users and database information via crafted HTTP requests. | |||||
| CVE-2021-39179 | 1 Dhis2 | 1 Dhis 2 | 2021-11-03 | 6.5 MEDIUM | 8.8 HIGH |
| DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL Injection vulnerability in the Tracker component in DHIS2 Server allows authenticated remote attackers to execute arbitrary SQL commands via unspecified vectors. This vulnerability affects the `/api/trackedEntityInstances` and `/api/trackedEntityInstances/query` API endpoints in all DHIS2 versions 2.34, 2.35, and 2.36. It also affects versions 2.32 and 2.33 which have reached _end of support_ - exceptional security updates have been added to the latest *end of support* builds for these versions. Versions 2.31 and older are unaffected. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. The vulnerability is not exposed to a non-malicious user - the vulnerability requires a conscious attack to be exploited. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance. There are no known exploits of the security vulnerabilities addressed by these patch releases. Security patches are available in DHIS2 versions 2.32-EOS, 2.33-EOS, 2.34.7, 2.35.7, and 2.36.4. There is no straightforward known workaround for DHIS2 instances using the Tracker functionality other than upgrading the affected DHIS2 server to one of the patches in which this vulnerability has been fixed. For implementations which do NOT use Tracker functionality, it may be possible to block all network access to POST to the `/api/trackedEntityInstances`, and `/api/trackedEntityInstances/query` endpoints as a temporary workaround while waiting to upgrade. | |||||
| CVE-2021-26739 | 1 Doyocms Project | 1 Doyocms | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in pay.php in millken doyocms 2.3, allows attackers to execute arbitrary code, via the attribute parameter. | |||||
| CVE-2021-41187 | 1 Dhis2 | 1 Dhis 2 | 2021-11-02 | 6.5 MEDIUM | 8.8 HIGH |
| DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability has been found in specific versions of DHIS2. This vulnerability affects the API endpoints for /api/trackedEntityInstances and api/events in DHIS2. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance. There are no known exploits of the security vulnerabilities addressed by these patch releases. However, we strongly recommend that all DHIS2 implementations using versions 2.32, 2.33, 2.34, 2.35 and 2.36 install these patches as soon as possible. There is no straightforward known workaround for DHIS2 instances using the Tracker functionality other than upgrading the affected DHIS2 server to one of the patches in which this vulnerability has been fixed. For implementations which do NOT use Tracker functionality, it may be possible to block all network access to POST to the /api/trackedEntityInstance and /api/events endpoints as a temporary workaround while waiting to upgrade. | |||||
| CVE-2021-38754 | 1 Hospital Management System Project | 1 Hospital Management System | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in Hospital Management System due to lack of input validation in messearch.php. | |||||
| CVE-2021-37803 | 1 Online Covid Vaccination Scheduler System Project | 1 Online Covid Vaccination Scheduler System | 2021-11-02 | 9.3 HIGH | 8.1 HIGH |
| An SQL Injection vulnerability exists in Sourcecodester Online Covid Vaccination Scheduler System 1.0 via the username in lognin.php . | |||||
| CVE-2021-3239 | 1 E-learning System Project | 1 E-learning System | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| E-Learning System 1.0 suffers from an unauthenticated SQL injection vulnerability, which allows remote attackers to execute arbitrary code on the hosting web server and gain a reverse shell. | |||||
| CVE-2020-23045 | 1 Macs Cms Project | 1 Macs Cms | 2021-10-29 | 6.5 MEDIUM | 7.2 HIGH |
| Macrob7 Macs Framework Content Management System - 1.14f was discovered to contain a SQL injection vulnerability via the 'roleId' parameter of the `editRole` and `deletUser` modules. | |||||
| CVE-2020-24932 | 1 Sourcecodester | 1 Complaint Management System | 2021-10-29 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in Sourcecodester Complaint Management System 1.0 via the cid parameter in complaint-details.php. | |||||
| CVE-2020-28960 | 1 Cct95 | 1 Chichen Tech Cms | 2021-10-28 | 10.0 HIGH | 9.8 CRITICAL |
| Chichen Tech CMS v1.0 was discovered to contain multiple SQL injection vulnerabilities in the file product_list.php via the id and cid parameters. | |||||
| CVE-2021-37371 | 1 Online Student Admission System Project | 1 Online Student Admission System | 2021-10-28 | 7.5 HIGH | 9.8 CRITICAL |
| Online Student Admission System 1.0 is affected by an unauthenticated SQL injection bypass vulnerability in /admin/login.php. | |||||
| CVE-2019-10916 | 1 Siemens | 4 Simatic Pcs 7, Simatic Wincc, Simatic Wincc \(tia Portal\) and 1 more | 2021-10-28 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd11), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC (TIA Portal) V13 (All versions), SIMATIC WinCC (TIA Portal) V14 (All versions < V14 SP1 Upd 9), SIMATIC WinCC (TIA Portal) V15 (All versions < V15.1 Upd 3), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions < V14.1 Upd 8), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Upd 3), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 19), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions < V7.5 Upd 3). An attacker with access to the project file could run arbitrary system commands with the privileges of the local database server. The vulnerability could be exploited by an attacker with access to the project file. The vulnerability does impact the confidentiality, integrity, and availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2020-21250 | 1 Cszcms | 1 Csz Cms | 2021-10-28 | 7.5 HIGH | 9.8 CRITICAL |
| CSZ CMS v1.2.4 was discovered to contain an arbitrary file upload vulnerability in the component /core/MY_Security.php. | |||||
| CVE-2021-26609 | 1 Mangboard | 1 Mang Board | 2021-10-28 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability was found in Mangboard(WordPress plugin). A SQL-Injection vulnerability was found in order_type parameter. The order_type parameter makes a SQL query using unfiltered data. This vulnerability allows a remote attacker to steal user information. | |||||
| CVE-2021-24769 | 1 Permalink Manager Lite Project | 1 Permalink Manager Lite | 2021-10-27 | 6.5 MEDIUM | 7.2 HIGH |
| The Permalink Manager Lite WordPress plugin before 2.2.13.1 does not validate and escape the orderby parameter before using it in a SQL statement in the Permalink Manager page, leading to a SQL Injection | |||||
| CVE-2021-24662 | 1 Game-server-status Project | 1 Game-server-status | 2021-10-27 | 6.5 MEDIUM | 7.2 HIGH |
| The Game Server Status WordPress plugin through 1.0 does not validate or escape the server_id parameter before using it in SQL statement, leading to an Authenticated SQL Injection in an admin page | |||||
| CVE-2021-24774 | 1 Wpchill | 1 Check \& Log Email | 2021-10-27 | 6.5 MEDIUM | 7.2 HIGH |
| The Check & Log Email WordPress plugin before 1.0.3 does not validate and escape the "order" and "orderby" GET parameters before using them in a SQL statement when viewing logs, leading to SQL injections issues | |||||